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DETAILED ACTION 

This action is in response to applicant's election to a restriction requirement 
received on 12/22/04. Applicant elected Group I that includes claims 1-21 without 
traverse. Claims 22-49 are withdrawn. Claims 1-21 are now being examined. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Carlson, 6,381,649 (Carlson hereafter) in view of Woo, US Pub 2002/0023089 (Woo 
hereafter). 

As per claim 21 , Carlson discloses a data monitoring and analyzing computing 
system that collect statistical information about network flows (abstract; col. 6, lines 38- 
41) comprising: a computing device that executes a computer program product stored 
on the computer readable medium comprising instructions to cause the computing 
device to (1 1 , fig. 1 ; col. 5, lines 5-9; switching node 'SN' computer is the computing 
device that performs the data monitoring and analyzing); monitors and collects traffic 
flow data (i.e, accumulates packets statistics) and stores the traffic data into memory 
locations known as buckets (col. 7, lines 46-51; monitoring device has memory 
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locations called buckets to store traffic packet data); compare the accumulated statistic 
values (network flow data) from the buckets to configured threshold values 
corresponding to the number of buckets to determine that an event is of significance 
(col. 3, lines 40-46; col. 7, lines 32-36 & 55-65; monitoring device compares the data 
units in the buckets to predetermined threshold values; out of compliance packets are 
'marked' for discarding to prevent the system from excess network traffic or traffic 
congestion); a port to link the data collector to a central control center (20, fig. 2; col. 6, 
lines 38-43; input module (20, fig. 2) port links the monitoring and data collecting 
mechanism to the switching node (or central control device). Carlson does not explicitly 
disclose using a hash function to map traffic flow (packets) into the buckets and 
adjusting the number of buckets as the number of buckets approaches a threshold (or 
some pre-determined value). In an analogous art to the claimed invention, Woo 
discloses a packet filtering system using a hashing function to search for the packets in 
the index bucket table (page 5, paragraphs 0093, 0096, 0098; packet data is mapped 
using hash function in the index table (30, fig. 2); adjusting the number of bucket filters 
as the packet data reaches a pre-specified (threshold) value (page 1, paragraph 0023; 
page 4, paragraphs 0080, 0081 ; as the number of packets reaches a threshold value, 
the number of filter buckets can change dynamically). Hence, it would have been 
obvious to one of ordinary skill in the art to modify and combine the teachings of 
Carlson and Woo to use a hash function for quick sorting or lookup and adjusting the 
number of buckets (or filters) to accommodate changing traffic conditions as desired by 
the user as disclosed by Woo on [page 5, paragraph 0091]. 
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Claims 1 and 14 recite similar limitations to claim 21; therefore, they are rejected 
using similar rationale as claim 21. 

As per claims 2 and 19, Carlson discloses the buckets are storage areas in a 
memory space of the monitor device (col. 7, lines 46-51). 

As per claim 3, Carlson discloses as the number of buckets changes, the buckets 
have values derived from the buckets prior to the change (col. 7, lines 49-54; system 
stores data in plurality of buckets; system maintains values of each bucket). 

As per claims 4 and 1 7,_Woo_discloses using, hash functionjo mapdata in the all 
the buckets (see claim 21 rejection; data mapping using hash function applies to new 
buckets as well). 

As per claim 5, Carlson discloses comparing the value accumulated in the bucket 
to a threshold that depends on the number of buckets (col. 7, lines 32-36). 

As per claims 6 and 18, Carlson discloses the parameter is the count of how 
many packets a data collector examines (col. 4, lines 7-9; counter is used to keep track 
of number of data units being stored in a bucket). 

As per claim 7, Carlson discloses a parameter for one bucket approaches a 
threshold, the monitoring device raises an alarm (col. 3, lines 43-46; when the value 
exceeds a predetermined threshold, the system raises the alarm by 'marking 7 the 
packets to let the system administrator know that the traffic is out of compliance). 

As per claims 8 and 20, Woo discloses applying security measures to the packet 
filtering system to prevent various unauthorized accesses (page 10, paragraph 0201; 
packets are classified by VPN or tunnel filters). Even if Woo does not explicitly disclose 
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changing the hashing function periodically so that packets are reassigned to different 
buckets, it would have been obvious to one of ordinary skill in the art to apply various 
security measures to prevent the system from unauthorized access or network attacks 
from intruders. 

As per claims 9-10, Carlson discloses the data monitoring system dynamically 
collects and divides traffic flow data into variable number of buckets over a variable of 
memory locations as desired and compare the values against predetermined thresholds 
to determined if the traffic flow is out of compliance (see claim 23). Carlson further 
discloses discarding the Marked' packets if the system deems those packets are 
causing denial of service attacks (i.e., by causing excess data traffic or traffic 
congestion) against its own network (col. 3, lines 40-46). 

As per claim 1 1 , Carlson discloses the traffic is monitored at multiple levels of 
granularity, from aggregate to individual flows (col. 6, lines 37-41; data packets (most 
granular component of data flow) are being monitored by monitoring device to keep the 
network from intruders or out of compliance; streams of data that are out of compliance 
are 'marked' for discarding). 

As per claim 12, Carlson discloses the traffic is applied to monitoring of TCP 
packet ratios and repressor traffic (col. 5, lines 37-38; col. 3, lines 40-46; out of 
compliance packets are 'marked' for discarding when they pose a threat to the network). 

As per claim 13, Carlson discloses comparing accumulated statistic values from 
the buckets to second threshold values to determine that an event is of significance (col. 
3, lines 40-46; col. 7, lines 32-36 & 55-65; monitoring device compares the data units in 
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the buckets to predetermined threshold values; out of compliance packets are 'marked' 
for discarding to prevent the system from excess network traffic or traffic congestion); 

As per claims 15-16, Carlson discloses based on the second threshold, the 
buckets are divided into more buckets (col. 7, lines 46-54; data flows can be separated 
and stored in plurality of 'buckets' as desired when a predetermined units of data 
threshold is reached in each bucket; data in each bucket is related to (or derived from) 
each other). 



Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

• Jones, 5,796,956; Plevyak et al, 6,848,005; Aubert et al, 6,388,992; Giroux et 

al, 6,370,1 16; Bar et al, 6,807,667; Hughes et al, 6,535,484; Schuba et al, 

6,725,378 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jack P Nguyen whose telephone number is (571) 272- 
3945. The examiner can normally be reached on M-F 8:30-5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Glenton Burgess can be reached on (571) 272-3949. The fax phone 
number for the organization where this application or proceeding is assigned is 703- 
872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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Dung C. D;; t ., 
Primary Examiner 



